Medical Identity Theft: Discussion – Medical Identity Theft and HIPAA

The HIPAA legislation and privacy rule were written at a time when medical identity theft was not foremost on the minds of policymakers. While health care fraud as a general issue was definitely on lawmakers minds (as is evidenced by the specific anti-fraud provisions in HIPAA), medical identity theft and its specific consequences were not.

One provision in HIPAA, which is called the Accounting of Disclosures, [102] could possibly be helpful for some victims of medical identity theft in some circumstances, but it too has exceptions that limit its utility.

HIPAA and Accounting for Disclosures

The HIPAA privacy rule requires covered entities – such as a health care provider — to maintain an accounting for disclosures. An accounting contains a history of disclosures that have been made by the covered entity. The accounting is useful because it allows a covered entity to send amendments to any person who previously received information determined to be incorrect. In addition, the HIPAA accounting requirement allows a patient to ask any covered entity to provide a copy of the accounting.

While this provision might be of particular use to the victim of medical identity theft, the exceptions to the requirement render it almost useless. A covered entity is not required to maintain any accounting of disclosures for disclosures for treatment, payment, or health care operations. [103] This restriction may make it impossible for a patient to track the flow of medical information to and from sources that may perpetrators of identity theft.

The rule (45 C.F.R. § 164.528) has attracted plenty of criticism from covered entities that it is too costly or too difficult to implement. It its 2006 State of HIPAA Compliance Survey, the American Health Information Management Association wrote the following:

“As in previous years, the accounting for disclosures requirement is reported to be a difficult one and is most often mentioned as needing modification. AHIMA and other groups have sought a recommendation for such an amendment from the National Committee on Vital and Health Statistics and the Office for Civil Rights, but at this time no amendment is expected in the near future.” [104]

In response to complaints about the accounting requirement, the Office of Civil Rights has publicly but unofficially stated that it is considering eliminating the accounting requirement altogether or changing it. [105] Eliminating the accounting requirement would be counterproductive, and would serve to ensure that consumers never found out where their health records have gone.

It is readily apparent that health care record keeping will be increasingly automated and networked in the future. [106] This prospect, especially the increased networking, means that the risks of improper access to and disclosure of records will increase in the future. [107] This report has abundantly discussed the consequences of improper access to patient medical information. The U.S. government and its agencies such as HHS must find a way to control improper uses and disclosures. A thorough accounting of disclosures is one way to accomplish that goal.

HHS officials have touted the benefits of digitized environments. One benefit of a digitized medical health care environment is that maintaining accounting is a relatively simple task provided that the capability for accounting is built into the system at the beginning and not added on later. Indeed, many automated health record systems installed today already include a capability for accounting for all uses and disclosures and not just those required by the HIPAA rule. [108] Health care providers should include accounting in automated systems not just because of the rule, but because it is good a record keeping policy that protects the provider as well as the patient. The federal government has operated under the Privacy Act of 1974 for many years, and no problems with accounting for health care disclosures have been reported.

A better approach would be to have a universal accounting rule covering all disclosures without any exceptions. Accounting for uses (accesses within the institution maintaining the records) would also be helpful to record subjects and to record keepers. A full, robust data accounting architecture and system should be an essential element of any National Health Information Network (NHIN). With sufficient notice, system vendors will be able to meet any accounting requirements at marginal cost.

Whether the HIPAA accounting rule was an unreasonable burden when imposed on paper or computer systems that did not already include the ability to do accounting is an open question. However, for any computerized system of health records – and certainly for any computer system established in the future and certainly for any network – accounting should be a universal requirement for all disclosures and for all internal uses as well. No exceptions to accounting should be permitted when the accounting can be accomplished automatically and inexpensively by well-designed software designed in advance to meet a requirement.

[105] For example, at the September 2005 HIT/HIPAA summit in Washington DC, a representative from the Office of Civil Rights made such a statement in a panel discussion on the topic.

[106] A national campaign toward modernizing, digitizing and automating health care records is currently underway, as are plans for the creation of a national networked architecture to manage those records (the NHIN.) See, for example, Executive Order 13335, “Incentives for the Use of Health Information Technology and Establishing the Position of the National Health Information Technology Coordinator” (Washington, D.C.: Apr. 27, 2004). Also see the Office of the National Coordinator for Health Information Technology (ONC) <http://www.hhs.gov/healthit/>.

[107] For a more detailed discussion of these issues, see the World Privacy Forum testimony on Electronic Health Records (EHRs) and the National Health Information Network before the Privacy and Confidentiality subcommittee of the NCVHS. See in particular the discussion of medical identity theft and the security issues related to the NHIN. <http://www.worldprivacyforum.org/testimony/NCVHStestimony_092005.html>.

[108] Many tools have become available to facilitate HIPAA compliance, including software and enterprise systems designed specifically for the automating of accounting of disclosures. See among many examples, HIPAA Guard by Integritas < http://www.integritas.com/>, which is a paperless accounting of disclosures system, Etrack Disclosure Tracking System. < http://www.hipaarx.net/products_disclosures.htm >, Cortrak http://www.cortrak.com/, HPATS by IO Datasphere, among many others.

To score is human. Ranking individuals by grades and other performance numbers is as old as human society. Consumer scores — numbers given to individuals to describe or predict their characteristics, habits, or predilections — are a modern day numeric shorthand that ranks, separates, sifts, and otherwise categorizes individuals and also predicts their potential future actions. This new report by Pam Dixon and Robert Gellman explores this issue of predictive scores and privacy.

This Jan. 30, 2014 report discusses a new right to restrict disclosure of health information under the updated HIPAA health privacy rule. The new provision called “Pay Out of Pocket,” also called the “Right to Restrict Disclosure” gives patients the right to request that their health care provider not report or disclose their information to their health plans when they pay for medical services in full. Navigating the new right will take effort and planning for patients to utilize effectively. This substance of this report is about the new patient right to restrict disclosure, and how patients can use it to protect health privacy.

This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations. Report authors: Bob Gellman and Pam Dixon.